Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2641
Views
5
Helpful
4
Replies

ACE Loadbalance ssl match header

jbbouillet
Level 1
Level 1

‎03-28-2012 07:32 AM

Hello,

I created several rules to balance on a specific server somes apps. Everythings works great in http but no in https.

In my example, i would like https://www.app2.com/ to be redirected to my server2 but it's always using the default rules instead of the

L7CLASSSrv2. Today www.app1.com is well redirected. All other apps are correctly loadbalance with the stickyness effect but I can't handle the https connections.

class-map match-all L4-WEB-IP

      2 match virtual-address xxxx tcp eq www

class-map match-all L4-WEBHTTPS-IP

      2 match virtual-address xxxx tcp eq https

class-map type http loadbalance match-any L7CLASSSrv1

      2 match http header Host header-value "www.app1.com/*"

class-map type http loadbalance match-any L7CLASSSrv2

      2 match http header Host header-value "www.app2.com/*"

policy-map type loadbalance http first-match WEB_L7_POLICY

      class L7CLASSSrv1

           serverfarm SINGLE_WEB1

           insert-http X-FORWARDED-FOR header-value "%is"

           insert-http x-forward header-value "%is"

           insert-http X-FORWARED-FOR header-value "%is"

      class L7CLASSSrv2

           serverfarm SINGLE_WEB2

           insert-http X-FORWARDED-FOR header-value "%is"

           insert-http x-forward header-value "%is"

      class class-default

           sticky-serverfarm SGROUP

           insert-http x-forward header-value "%is"

           insert-http X-FORWARDED-FOR header-value "%is"

policy-map multi-match WEB-to-vIPs

      class L4-WEB-IP

           loadbalance vip inservice

           loadbalance policy WEB_L7_POLICY

           loadbalance vip icmp-reply active

           nat dynamic 1 vlan xxxx

           appl-parameter http advanced-options HTTP_PARAMETER_MAP

      class L4-WEBHTTPS-IP

           loadbalance vip inservice

           loadbalance policy WEB_L7_POLICY

           loadbalance vip icmp-reply active

           nat dynamic 1 vlan xxx

      appl-parameter http advanced-options HTTP_PARAMETER_MAP

Thanks for your help.

Regards,

JB

Labels:
0 Helpful
4 Replies 4

vpurbiya
Level 1
Level 1

‎03-29-2012 09:19 AM

Hi John

One is you want to handle the traffic SSL termination by ACE or the actual servers .

If on ACE, you need to import the SSL cert/key on ace and then try the same.

0 Helpful

jbbouillet
Level 1
Level 1
In response to vpurbiya

‎03-30-2012 12:56 AM

Hello,

today the ssl trafic termination is manage by the webservers and it works well.

I just want for a specific app to balance on a specific server in https as i do in http.

0 Helpful

Borys Berlog
Cisco Employee
Cisco Employee
In response to jbbouillet

‎03-30-2012 01:28 AM

Hi Jean-Baptiste

The problem you hit is that you want to search for some information in HTTP header. It works perfectly well with HTTP, however in case of HTTPS this header is encrypted, so ACE simply can't get anything from it. Only one way to have it working - it's doing decryption on ACE.

What you can do , if you don't want to touch your servers, it's End-to-End SSL on ACE. This is an implementation when client initiate HTTPS connection, it's got terminated and decrypted on ACE and then ACE initiate new SSL connection to a server.

In result traffic in encrypted everywhere and you don't need to do any reconfiguration on server as it still will get HTTPS requests.

You can find an example of such configuration here :

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml

jbbouillet
Level 1
Level 1
In response to Borys Berlog

‎03-30-2012 02:34 AM

Hi,

Thanks for your feedback, I understand now why it's not working, I thought that url was not in an encrypted field  for the ace. I will look at the article you linked in detail.


Regards,

0 Helpful

Review Cisco Networking for a $25 gift card

Top